A Routing-Driven Key Management Scheme for ... - IEEE Xplore

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2007 proceedings.

A Routing-Driven Key Management Scheme for Heterogeneous Sensor Networks Xiaojiang Du

Yang Xiao

Dept. of Computer Science, North Dakota State University Fargo, ND 58105, USA, [email protected]

Dept. of Computer Science, The University of Alabama Tuscaloosa, AL 35487, USA, [email protected]

Song Ci

Mohsen Guizani

Dept. of Computer & Electronics Eng., Univ. of Nebraska Lincoln, NE 68182, USA, [email protected]

CIT College, United Arab University Al-Ain, United Arab Emirates, [email protected]

Hsiao-Hwa Chen Institute of Communications Engineering, National Sun Yat-Sen University, Taiwan, [email protected] Abstract –The many-to-one traffic pattern dominates in sensor networks, where a large number of sensor nodes send data to one sink. A sensor node may only communicate with a small portion of its neighbors. Most existing key management schemes for sensor networks are designed to establish shared keys for all pairs of neighbor sensors, no matter whether they communicate with each other or not, and this causes large overhead. To achieve better security and performance, we adopt a Heterogeneous Sensor Network (HSN) model. In this paper, we propose a novel routing-driven key management scheme, which only establishes shared keys for neighbor sensors that may communicate with each other. Recent work has demonstrated the feasibility of implementing Elliptic Curve Cryptography on small sensor nodes. We utilize Elliptic Curve Cryptography to design an efficient key management scheme for HSN. The performance evaluation and security analysis show that our key management scheme can provide better security with significant saving on sensor storage space and energy consumption than some existing key management schemes. Key words: Security, key management, sensor network, Elliptic Curve Cryptography.

I.

INTRODUCTION

Sensor networks have applications in many areas, such as military, homeland security, health care, environment, agriculture, manufacturing, and so on. Most previous work on sensor networks considered homogeneous sensor networks, i.e., all sensor nodes have the same capability in terms of communication, computation, energy supply, storage space, reliability, etc. However, a homogeneous ad hoc network has poor fundamental limits and performance. Research has demonstrated its performance bottleneck both theoretically [1, 2] and through simulation experiments and testbed measurements [3]. Use of heterogeneous nodes in sensor networks is not new. Recently deployed sensor network systems are increasingly following heterogeneous designs, incorporating a mixture of sensors with widely varying

capabilities [4]. For example, a sensor network may include small MICA sensors as well as more powerful high-end nodes such as robotic nodes [4]. Several recent literatures [5-8] have studied non-security aspects of HSN. However, security issues of HSN remain largely unexplored. Security is critical to sensor networks deployed in hostile environments, such as military battlefield. Security issues in homogeneous sensor networks have been extensively studied. Key management is an essential cryptographic primitive upon which other security primitives are built. Several key management schemes have been proposed for homogeneous sensor networks. In [9], Eschenauer and Gligor first present a key probabilistic pre-distribution scheme for key management in sensor networks. Later, a few other key pre-distribution schemes (e.g., [10~13]) have been proposed. Probabilistic key pre-distribution is a promising scheme for key management in sensor networks. To ensure the scheme works well, the probability that each sensor has at least one shared key with a neighbor sensor (referred to as key-sharing probability) should be high. For the key pre-distribution scheme in [9], each sensor randomly selects its key ring from a key pool of size P. When the key pool size is large, each sensor needs to pre-load a large number of keys to achieve a high key-sharing probability. For example, when P is 10,000, each sensor needs to pre-load more than 150 keys for a keysharing probability of 0.9 [9]. If the key length is 256 bits, then 150 keys require a storage space of 4,800 bytes. Such a storage requirement is too large for many sensor nodes. For example, a smart dust sensor [14] has only 8K bytes of program memory and 512 bytes of data memory. The above discussion shows that many existing key management schemes (e.g., [9-13]) require a large storage space for key pre-distribution and are not suitable for small sensor nodes. In this paper, we present an efficient key management scheme that only requires small storage space of sensor nodes. The scheme achieves significant storage saving

1-4244-0353-7/07/$25.00 ©2007 IEEE 3407


by utilizing an efficient public key algorithm and the fact that a sensor node only communicates with a small portion of its neighbors. Below we briefly discuss the two issues. More details are given in Section II. Most existing key management schemes for sensor networks are designed to set up shared keys for all pairs of neighbor sensors, without considering the actual communication pattern. In many sensor networks, sensor nodes are densely deployed in the field. One sensor could have as many as 30 or more neighbors [15]. The many-to-one traffic pattern dominates in typical sensor networks, where all sensors send data to one (or a few) sink. Because of the manyto-one traffic pattern, a sensor node only communicates with a small portion of its neighbors, e.g., neighbor sensors that are in the routes from itself to the sink. This means that a sensor node does not need shared keys with all neighbors. Below we give a definition that considers the fact. Definition 1 - c-neighbor: A neighbor sensor node v is referred to as a communication neighbor (c-neighbor) of sensor node u, if v is in a route use by u to reach the sink. Based on the above observation, we propose a novel idea for efficient key management in sensor networks. A key management scheme only needs to set up shared keys for each sensor and its c-neighbors, i.e., it does not need to set up shared keys for each pair of neighbor sensors. The new scheme can significantly reduce the overhead of key establishment in sensor networks. For example, suppose that a sensor node u has 30 neighbors but may only send packets to 2 neighbors (e.g., one primary next-hop node and one backup). Using traditional key management schemes (such as [9] and [10]), 30 pairwise keys need to be established for u, one key for each neighbor. Using the new scheme, only 2 pairwise keys need to be set up for u, one for each c-neighbor. Thus, the new scheme can greatly reduce communication and computation overhead, and hence reduce sensor energy consumption. Public-key cryptography has been considered too expensive for small sensor nodes, because typical public-key algorithms (e.g., RSA) require extensive computations and are not suitable for tiny sensors. The small key size and low computational overhead of Elliptic Curve Cryptography (ECC) [16, 17] provides new opportunities to utilize public-key cryptography in sensor networks. For example, 160-bit ECC offers the comparable security to 1024-bit RSA [18]. The recent implementation of 160-bit ECC on Atmel ATmega128, a CPU of 8Hz and 8 bits, shows that an ECC point multiplication takes less than one second [18], which demonstrates that the ECC public-key cryptography is feasible for sensor networks. Compared with symmetric key cryptography, public-key cryptography provides a more flexible and simple interface, requiring no key pre-distribution, no pair-wise key sharing, and no complicated one-way key chain scheme. ECC can be combined with Diffie-Hellman approach to provide key exchange scheme for two communication parties. ECC can also be utilized for generating digital signature, data encryption and decryption. The Elliptic Curve Digital

Signature Algorithm (ECDSA) utilizes ECC to generate digital signature for authentication and other security purposes [19, 20]. Several approaches for encryption and decryption using ECC have been proposed [16, 17, 19]. Because of the page limit, we do not describe these ECC schemes in the paper. Please refer to references [16-20] for the details. In this paper, we present an efficient key management scheme for HSN which utilizes the c-neighbor concept and ECC public-key cryptography. Typical sensor nodes are unreliable devices and may fail overtime. Our key management scheme considers communication topology change caused by node failures, i.e., the scheme set up pairwise keys for each sensor with more than one neighbor. In case the primary next-hop node fails, a backup node is used for communications. In addition, if there is a need for two neighbor sensor nodes to set up shared keys later (e.g., in case all backup nodes fail); they can do this with the help from other neighbors [9]. The rest of the paper is organized as follows. Section II presents the routing-driving key management scheme. Section III gives the simulation results and security analysis. Section IV concludes this paper. II.

THE ROUTING DRIVEN KEY MANAGEMENT SCHEME

In this Section, we present an efficient key management scheme for HSN which utilizes ECC and the many-to-one communication pattern in sensor networks. The scheme is referred to as ECC-based key management scheme. We adopt a realistic model of HSN that can be used in most sensor network applications. The HSN model consists of a small number of powerful high-end sensors (H-sensors) and a large number of low-end sensors (L-sensors). Both H-sensors and L-sensors are powered by batteries and have limited energy supply. L-sensors use multi-hop communications to reach Hsensors, and H-sensors use multi-hop communications to reach the sink. First, we list the assumptions of HSN below. 1. Due to cost constraints, L-sensors are not equipped with tamper-resistant hardware. Assume that if an adversary compromises a L-sensor, she can extract all key material, data, and code stored in that node. 2. H-sensors are equipped with tamper-resistant hardware. It is reasonable to assume that powerful H-sensors are equipped with the technology. In addition, the number of H-sensors in a HSN is small (e.g., 20 H-sensors and 1,000 L-sensors in a HSN). Hence, the total cost of tamper-resistant hardware in a HSN is low. 3. Each L-sensor (and H-sensor) is static and aware of its own location. Sensor nodes may use secure location services such as [23] to estimate their locations, and no GPS receiver is required at each node. 4. Each L-sensor (and H-sensor) has a unique node ID. 5. The sink is well protected and trusted. Since H-sensors are powerful nodes, key establishment for H-sensors are relatively easy. For example, each H-sensor can be pre-loaded with a special key K H , which is protected by the tamper resistant hardware. After deployment, two H-

3408


sensors can use K H to achieve secure communications. In this paper, we focus on key establishment for L-sensors. The notations used in the rest of the paper are listed below: • u, v, x, y, n are L-sensors; H is a H-sensor; • {m}k denotes encrypting message m with key k. Next, we briefly describe cluster formation in HSN. A. Cluster Formation in HSN We adopt a typical assumption of sensors’ locations – assume both L-sensors and H-sensors are uniformly and randomly distributed in the network. Note that our key management scheme does not rely on such sensor distribution, i.e., it also works well for other sensor distributions. After sensor deployment, clusters are formed in a HSN. We have designed an efficient clustering scheme for HSN in [22]. Because of the page limit, we will not describe the details of the clustering scheme in this paper. For the simplicity of discussion, we assume that each H-sensor can communicate directly with its neighbor H-sensors (if not, then relay via Lsensors can be used). All H-sensors form a backbone in a HSN. After cluster formation, a HSN is divided into multiple clusters, where H-sensors serve as the cluster heads. If the network is a two-dimensional plane, each L-sensor selects the closest H-sensor as the cluster head (except when there is an obstacle in between), and this leads to the formation of a Voronoi diagram where the cluster heads are the nuclei of the Voronoi cells. An illustration of the cluster formation is shown in Figure 1, where the small squares are L-sensors, the large rectangles are H-sensors, and the large square at the left-bottom corner is the sink. Figure 1: Cluster formation in a HSN

B. The Routing Structure in HSN In a HSN, the sink, H-sensors and L-sensors form a hierarchical network architecture. Clusters are formed in the network and H-sensors serve as cluster heads. All H-sensors form a communication backbone in the network. Powerful Hsensors have sufficient energy supply, long transmission range, high date rate, and thus provide many advantages for designing more efficient routing protocols. We have designed an efficient routing protocol for HSN in [23]. Routing in HSN consists of two phases: 1) Intra-cluster routing: Each L-sensor sends data to its cluster head (a H-sensor); and 2) Inter-cluster routing: Each cluster head may aggregate data from multiple L-sensors and then sends compressed data to the sink via the H-sensor backbone. The routing structure in HSN is illustrated

in Figure 1. Before discuss key establishment for L-sensors, we briefly describe the intra-cluster routing scheme in [23]. An intra-cluster routing scheme determines how to route packets from a L-sensor to its cluster head. When a L-sensor sends a packet to its cluster head (say H), the packet is forwarded by other L-sensors in the cluster. We use Figure 1 to describe an intra-cluster routing scheme. The basic idea is to let all L-sensors (in a cluster) form a tree rooted at the cluster head H. It has been shown in [22] that: (1) If complete data fusion is conducted at intermediate nodes, (i.e., two k-bit packets come in, and one k-bit packet goes out after data fusion) then a minimum spanning tree (MST) consumes the least total energy in the cluster. (2) If there is no data fusion within the cluster, then a shortest-path tree (SPT) consumes the least total energy. (3) For partial fusion, it is a NPcomplete problem of finding the tree that consumes the least total energy. For sensor networks where data generated by neighbor sensors are highly correlated (e.g., two k-bit packets are aggregated to one m-bit packet, where m is close to k), a MST may be used to approximate the least energy consumption case. To construct a MST, each L-sensor sends its location information to the cluster head H, and then H can run a centralized MST algorithm to construct the tree. After constructing the MST, H can disseminate the tree structure (parent-child relationships) to all L-sensors using one or more broadcasts. For example, a pair (u, v) can be used to denote that L-sensor u is v’s parent node. If the cluster is small, one broadcast message can include all the pairs. If the cluster is large, then it can be divided into several sections. For example, the top-right cluster in Figure 1 is divided into four sections by the dotted lines. Then H can notify L-sensors in each section by one broadcast. Note that the broadcast from a cluster head needs to be authenticated. Otherwise, an adversary may broadcast malicious messages and disrupt the dissemination of routing information. We discuss the broadcast authentication in next subsection. For sensor networks where the data from neighbor sensors have little correlation, a SPT can be constructed; using either centralized or distributed algorithms. Since L-sensors are small, unreliable devices and may fail overtime, robust and self-healing routing protocols are critical to ensure reliable communications among L-sensors. During the tree setup, the MST or SPT algorithm can find more than one parent nodes for each L-sensor. One parent node serves as the primary parent, and other parent nodes serve as backup parents. In case the primary parent node fails, a L-sensor uses a backup parent for routing. Given the tree-based routing structure within a cluster, each L-sensor only needs to establish shared keys with its cneighbors, i.e., its parent-nodes and child-nodes. In the next subsection, we discuss how to establish shared keys. C. The ECC-based Key Management Scheme One possible key management scheme is to let every Lsensor set up shared keys with each of its neighbors by using the ECC Diffie-Hellman key exchange scheme [20]. However, there is a computation problem with such approach. In many sensor networks, nodes are densely deployed in the field. One

3409


sensor could have as many as 30 or more neighbors [15]. Although ECC public-key cryptography is feasible for small sensor nodes, a 160-bit ECC point multiplication still takes about one second. It would need too much computation and energy for a L-sensor to run ECC with each of its 30 neighbors. In this subsection, we present an efficient key management scheme that requires only a small number of ECC computations in each L-sensor. The scheme is presented below. A server is used to generate pairs of ECC public and private keys, one pair for each L-sensor (and H-sensor). The server selects an elliptic curve E over a large finite field F and a point P on that curve. Each L-sensor (say u) is pre-loaded with the private key (say KuR = Iu ). A H-sensor has large storage space and is pre-loaded with public keys of all the Lsensors (e.g., K uU = I u P , etc). Each H-sensor also stores the association between each L-sensor and its private key. Each H-sensor (say H) is pre-loaded with a pair of ECC public key (say K UH = I H P ) and private key (say KHR = I H ). The public keys of H-sensors are also loaded in each L-sensor, and the keys are used to authenticate broadcasts from Hsensors. The ECDSA algorithm [20] is used for authenticating broadcasts from H-sensors. When H broadcasts the routing structure information (e.g., the MST) to L-sensors, a digital signature is calculated over the message using H’s private key. Each L-sensor can verify the digital signature by using H’s public key, and thus authenticate the broadcast. In addition, each H-sensor is pre-loaded with a special key K H , which is used by a symmetric cryptography algorithm for verifying newly-deployed sensors and for secure communications among H-sensors. The pre-loaded keys in H-sensors are protected by the tamper-resistant hardware. Even if an adversary captures a H-sensor, she could not obtain the key materials. Given the protection from the tamper-resistant hardware, the same pair of ECC public/private keys may be used by all H-sensors, and this can reduce the storage overhead. Assume each L-sensor can determine its location by using some secure location services, such as the scheme in [21]. After selecting a cluster head H, each L-sensor u sends to H a clear (un-encrypted) Key-request message, which includes the L-sensor ID – u, and u’s location. A greedy geographic routing protocol (e.g., the scheme in [25]) may be used to forward the Key-request message to H. Note that the location of a cluster head is known to all L-sensors in the cluster during cluster formation [22]. A L-sensor sends the Key-request message to the neighbor L-sensor that has the shortest distance to the cluster head, and the next node performs similar operation, until the packet arrives at the cluster head. In case there is a void during greedy geographic routing (i.e., all the neighbors have longer distances to the cluster head than that from the node itself), several recover schemes can be used to solve the problem, e.g., routing a packet around the faces of a planar sub-graph extracted from the original network [26].

After a certain time, the cluster head H should receive Keyrequest messages from all (or most) L-sensors in its cluster, then H uses a centralized MST or SPT algorithm to determine the tree structure in the cluster. Next, H generates shared-keys for each L-sensor and its c-neighbors. For a L-sensor u and its c-neighbor v, H generates a random key K u , v . Note that K u , v is a key for a symmetric cryptography algorithm, e.g., RC4. Recall that H is pre-loaded with the public keys of all Lsensors. H encrypts K u , v by using the ECC encryption scheme [20] and u’s public key, and then H unicasts the message to u. L-sensor u decrypts the message and obtain the shared key between itself and v. After all L-sensors obtain the sharedkeys, they can communicate securely with their c-neighbors.

D. Key Revocation When a L-sensor is compromised by an adversary, all the keys used by this L-sensor needs to be revoked. Assume that the node compromise is detected by some scheme and is reported to the cluster head H. After detection, H can disseminate a Revocation message containing a list of the keys to be revoked. A digital signature (denoted as sign) is calculated over the key list by using the ECDSA algorithm [20] and H’s private key, and the sign is appended after the key list. The format of the Revocation message is:

Ku ,v ; Ku, x ; Ku, y ;...Ku , z ; KuB + sign Since each L-sensor knows H’s public key, when a Lsensor receives the Revocation message, it can check the integrity of the message by verifying the digital signature. This prevents an adversary from sending a false Revocation message. III.

PERFORMANCE EVALUATION

In this Section, we evaluate the performance of our ECCbased key management scheme. The key pre-distribution scheme proposed by Eschenauer and Gligor [9] is used for comparison, and it is referred to as the E-G scheme. We compare the storage requirement and energy consumption in subsection A and B, respectively. The security analysis is presented in subsection C.

A. Significant Storage Saving Assume that the number of H-sensors and L-sensors in a HSN is M and N, respectively. Typically we have M